IBM recently introduced new features for Hyper Protect Virtual Servers for Virtual Private Cloud (HPVS for VPC). Built to address the topmost security concerns, HPVS for VPC is designed to provide a confidential computing environment to protect data and applications within your Virtual Private Cloud.

Hyper Protect Virtual Servers provide technical assurance based on IBM Secure Execution for Linux so that workloads are protected in the cloud, including the prevention of access by unauthorized users. Technical assurance means that neither the system nor cloud administrator can access sensitive data or workloads, even if they wanted to. This is a key differentiator and is now further strengthened with the enhanced security and scalability features described below.

Bring your own key for data encryption

Data-at-rest encryption for the data volumes attached to the HPVS for VPC instance is currently enabled by a Linux Unified Key Setup (LUKS) passphrase derived from two seeds: one from the deployer and one from the workload personas. These are provided during deployment as part of the HPVS for VPC deployment contract.

With the integration of HPVS for VPC with IBM Cloud Hyper Protect Crypto Services (HPCS) key management service (KMS), encryption protection and data control are enhanced with the option to bring your own key managed by HPCS. The cloud user can gain full control of the data volumes because access to the encrypted data is only possible—even for the deployed workload—if the corresponding KMS confirms so on a regular basis.

With this additional capability, more complex zero-trust principles can be realized. This integration is achieved through an optional third seed, which is generated by HPCS and stored in a metadata partition of the data volume. This third seed is wrapped with the Customer Root Key (CRK), which always remains within the HPCS hardware security module. The LUKS passphrase for data volume encryption is generated by using these three seeds. Refer to this documentation for more details.

Deploying multiple Open Container Initiatives (OCI) containers in one enclave

The Hyper Protect Container Runtime (HPCR) previously supported only one container as described by docker compose. This may not be sufficient for workloads needing to deploy multiple microservices within a single secure enclave. HPCR now supports multiple containers where one or more container definitions can be specified via pod descriptors.

This enables an HPVS secure enclave to run multiple containers and supports the notion of a sidecar design pattern where a side container, providing supporting features, is deployed alongside the main application container. The play subsection of the HPCR workload contract can specify containers via pod descriptors in multiple ways such as plain YAML format or in the archive or templates subsection of the contract. The container images described by pod descriptors can be validated by RedHat Simple Signing. For more information, see play subsection.

Hyper Protect Secure Build

Hyper Protect Secure Build can be used to build trusted container images within a secure enclave provided by IBM Hyper Protect Virtual Servers. The secure build process is designed to allow developers to securely build and sign containerized workload images in a trusted environment and deploy into an HPVS secure enclave, preventing malicious code from entering production environments. The secure build enclave is highly isolated, and developers can communicate only via specific APIs while cloud administrators cannot access the contents of the container.

The secure build server cryptographically signs the image and provides a manifest (collection of materials used during the build) for audit purposes. Since the private signing keys always remain protected within the enclave, the signatures can be used to verify whether the image and manifest are indeed from the secure build server and not tampered with before production deployment. This ensures the end-to-end supply chain integrity is protected and the source of components used is documented and tamper-protected through the manifest file. For details, see Secure Build.

SUSE SLE BCI images for confidential computing on Hyper Protect Virtual Server

SUSE and IBM work together to deliver advanced technical capabilities for confidential computing. IBM Z® and IBM LinuxONE systems provide key hardware capabilities for a trusted execution environment while SUSE Linux Enterprise Server (SLES) on IBM Z and LinuxONE is designed to deliver performance, security, reliability and efficiency for mission-critical workloads on IBM Z and LinuxONE systems.

The SLE BCI registry (SUSE Linux Enterprise Base Container Images) is available at no charge and provides a large set of security-hardened and certified base container images. It is now possible to deploy containerized workloads built off SLE BCI onto Hyper Protect Virtual Servers and gain regular updates and support for the workload through SUSE and the SLE BCI ecosystem.

Get started with IBM Hyper Protect Virtual Server for VPC today

See how easy it is to deploy your own instance with a few clicks. You can directly start to secure your application (e.g., for financial transactions) with confidential computing. Log in to IBM Cloud to get started now, or visit our site to learn more about IBM Hyper Protect Virtual Server for VPC.

More from Cybersecurity

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

Data privacy examples

9 min read - An online retailer always gets users' explicit consent before sharing customer data with its partners. A navigation app anonymizes activity data before analyzing it for travel trends. A school asks parents to verify their identities before giving out student information. These are just some examples of how organizations support data privacy, the principle that people should have control of their personal data, including who can see it, who can collect it, and how it can be used. One cannot overstate…

How to prevent prompt injection attacks

8 min read - Large language models (LLMs) may be the biggest technological breakthrough of the decade. They are also vulnerable to prompt injections, a significant security flaw with no apparent fix. As generative AI applications become increasingly ingrained in enterprise IT environments, organizations must find ways to combat this pernicious cyberattack. While researchers have not yet found a way to completely prevent prompt injections, there are ways of mitigating the risk.  What are prompt injection attacks, and why are they a problem? Prompt…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters